search

clusterlink-net / clusterlink

A Gateway for connecting application services in different domains, networks, and cloud infrastructures
https://clusterlink.net
Other
17 stars 18 forks source link

Certificates should be stored as TLS secrets #509

Open elevran opened 4 months ago

elevran commented 4 months ago

Currently all ClusterLink secrets are created as type Opaque:

$ kubectl get secret --namespace clusterlink-system
NAME              TYPE     DATA   AGE
cl-controlplane   Opaque   2      19h
cl-dataplane      Opaque   2      19h
cl-fabric         Opaque   1      19h
cl-peer           Opaque   1      19h

Typically, certificates (such as cl-peer) should be using Spec.SecretType: SecretTypeTLS. These have predefined fields for certificate and key.

Search for SecretTypeTLS in corev1 and the kubectl documentation.

The change should affect the clusterlink CLI and any manual deployment documentation (if present).

elevran commented 4 months ago

the ROI on this is low: some risk, low reward (having predefined data fields in secrets and clearer secret type). Pushing out on fixing this to later with lower priority. Changes are needed in documentation and YAML templates (mostly adding type: kubernetes.io/tls and changing cert and key to tls.cert and tls.key in secrets. Mount paths need to change accordingly)